Embedded software design with Polychrony

Embedded software design with Polychrony DATE 09 tutorial on Correct-by-Construction Embedded Software Synthesis: Formal Frameworks, Methodologies, and Tools Jean-Pierre Talpin, RIA List of contributors Albert enveniste, Paul Le Guernic, Thierry Gautier, Loïc esnard, Dumitru Potop, enoît Caillaud Embedded software design with Polychrony Motivations Key challenge in system design Engineering or mathematics? Polychronous model of computation The essence of polychrony The old-fashioned watch Data structures and code generation From equations to programs Dehronization and mapping Use for architecture modeling and analysis Conclusive remarks 2

Key challenge in system design CATIA Nastran Simulink Scade Rhapsody eterogeneity of skills, teams, tools, methods CAN Flexray ARC 653 ECU/LRU Profiling Energy 3 Key challenge in system design CATIA Nastran Simulink Scade Rhapsody analyse simulate CAN Flexray ARC 653 ECU/LRU Profiling Energy map 4

Key challenge in system design analyse CATIA Nastran Simulink Scade Rhapsody simulate CAN Flexray ARC 653 ECU/LRU Profiling Energy map 5 Engineering or mathematics? FORGET REMEMER RTOS, RME, scheduling COTS, reuse ARC 653, architactures C, Java, programming Simulink, UML, modeling... Specifying sets and surfaces by equations Intersecting them by systems of equations Equations with no, one or many solutions Fixed-point and differential equations Solving them may be difficult 6

Engineering or mathematics? ENGEERG MATEMATICS You want to reuse components Specifying sets and surfaces by equations Design system by composing modules Composition may be blocking or non deterministic Embedded systems have real-time behaviors Intersecting them by systems of equations Equations with no, one or many solutions Fixed-point and differential equations Generate and execute code for components Solving them may be difficult 7 Engineering or mathematics? MATEMATICS ENGEERG Composition is easy Execution is hard Composition is hard Execution is easy 8

The essence of polychrony MATEMATICS POLYCRONY Composition is easy Execution is hard Synchronous composition is easier Code generation is harder The theory amounts to solving equations in a specific model of computation and communication 9 The essence of polychrony What it is not Synchronous hardware Synchronous dataflow Simulink diagrams (simple ones) Each module has a single clock that triggers all signals All different clocks are derived and sampled from a global master clock via a frequency or phase mechanism 10

The essence of polychrony What it is not Synchronous hardware Synchronous dataflow Simulink diagrams (simple ones) Execution is easy 11 The essence of polychrony What it is not Synchronous hardware Synchronous dataflow Simulink diagrams (simple ones) Execution is easier but... 12

The essence of polychrony What it is not Synchronous hardware Synchronous dataflow Simulink diagrams (simple ones) Execution is easier Composition is harder 13 The essence of polychrony What it is Specification of open systems with hronous software components: polychrony Prepared to accept more components Each module is a hronous software There is no global master clock The different clocks can be related by hronization constraints 14

The essence of polychrony What it is Specification of open systems with hronous software components: polychrony Prepared to accept more components Execution is harder 15 The essence of polychrony What it is Specification of open systems with hronous software components: Polychronous Clocks can be related by hronization constraints Execution is harder Composition is simpler 16

Embedded software design with Polychrony Motivations Key challenge in system design Engineering or mathematics? Polychronous model of computation The essence of polychrony The old-fashioned watch Data structures and code generation From equations to programs Dehronization and mapping Use for architecture modeling and analysis Conclusive remarks 17 The old-fashioned watch This is an old mechanical watch like the one I have. Turn the spring. The watch goes for some time, and then stops. When it stops, turn again the spring and so on Albert enveniste This is an interesting example: the output up-samples the input, hence it is not a data-flow function. We show how to analyze and execute it. 18

The old-fashioned watch In equational style ( := default Z-1 Z := $ init 0 ^= when (Z < 0) ) Input Decrement Return if positive Input is negative... Z > 0 Z < 0 19 The old-fashioned watch In diagrammic style (Eclipse) ( := default Z-1 Z := $ init 0 ^= when (Z < 0) ) Z > 0 Z < 0 20

The old-fashioned watch A few definitions ( := default Z-1 Z := $ init 0 ^= when (Z < 0) ) (t 0, 0) {(t 0, 0), (t 1, 3), (t 2, 2), (t 3,1), (t 4, 0)} (t 0, 0)<(t 1, 3)<(t 2, 2)<(t 3,1)<(t 4, 0) An event is a time tag and a value A signal is a set of events Its time tags are totally ordered 21 The old-fashioned watch A few definitions ( := default Z-1 Z := $ init 0 ^= when (Z < 0) ) (t 0, 3) (t 4, 3) Z (t 0, 0) (t 1, 3) (t 2, 2) (t 3,1) (t 4, 0) (t 0, 3) (t 1, 2) (t 2, 1) (t 3,0) (t 4, 3) A trace is a set of signals Its time tags are partially ordered A process is a set of trace 22

The old-fashioned watch A few definitions ( := default Z-1 Z := $ init 0 ^= when (Z < 0) ) (u 0, 3) (u 4, 3) Z (t 0, 0) (t 1, 3) (t 2, 2) (t 3,1) (t 4, 0) Tags are related when events are hronized and equations are composed ^= when (Z < 0) 23 The old-fashioned watch A demo t 0!! t 1 t 4 Z < 0 t 3 t 2 (t 0, 3) (t 4, 3) Z (t 0, 0) (t 1, 3) (t 2, 2) (t 3,1) (t 4, 0) (t 0, 3) (t 1, 2) (t 2, 1) (t 3,0) (t 4, 3) 24

Embedded software design with Polychrony Motivations Key challenge in system design Engineering or mathematics? Polychronous model of computation The essence of polychrony The old-fashioned watch Data structures and code generation From equations to programs Dehronization and mapping Use for architecture modeling and analysis Conclusive remarks 25 Scheduling and execution From equations to programs ( := default Z-1 Z := $ init 0 ^= when (Z < 0) ) (u 0, 3) (u 4, 3) Z (t 0, 0) (t 1, 3) (t 2, 2) (t 3,1) (t 4, 0) Synchronization (DDs) ^= when (Z < 0) (u 0, 3) (u 4, 3) (t 0, 0) (t 1, 3) (t 2, 2) (t 3,1) (t 4, 0) Causality (scheduling graphs) := default Z-1 26

Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Causality Clock causality - Z 27 Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Evaluated nodes in red Root(s) of the graph State variable(s) Enabled transitions in red - Z 28

Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Evaluation in red Immediate successors All predecessors of are enabled - Z 29 Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Evaluation in red Value can be determined from its predecessors - Z 30

Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Evaluation in red Initially is true is active Its transition is active true false Z 31 Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Evaluation in red can be computed true false Z 32

Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Evaluation in red Second time, is false is inactive false true Z 33 Scheduling and execution Equations for hronization := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Scheduling graph Evaluation in red is computed from Z false true Z 34

Scheduling and execution Equations for hronization := (Z < 0) ^= ^= ^= ^= Z Scheduling graph <- when <- Z when <- (,Z) <- Z <- <- Clock and scheduling relations are part of the Signal syntax 35 Scheduling and execution Equations for hronization := (Z < 0) ^= ^= ^= ^= Z Scheduling graph <- when <- Z when <- (,Z) <- Z <- <- Clock and scheduling relations define an interface model used to : represent a module in its environment separately compile a module map a set of modules on an architecture 36

Scheduling and execution Equations for hronization := (Z < 0) ^= ^= ^= ^= Z Scheduling graph <- when <- Z when <- (,Z) <- Z <- <- Clock and scheduling relations define a calculus to : give an operational semantics and interpret a system of equations define correctness-preserving transformations and code generation functionalities 37 Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; - Z Clocks and scheduling relations 38

Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; - Z is available 39 Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; - Z The state variable is fetch 40

Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; - Z is computed 41 Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; - Z is tested 42

Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; false Z Initially, is true true 43 Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; false Z is fetch true 44

Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; false Z is computed and sent true 45 Scheduling and execution Code generation if (!read_watch_(&)) = < 0; if () { if (!read_watch_(&)) = ; } else = - 1; write_watch_(); return TRUE; true Z Next time, will be false false 46

Scheduling and execution Model transformation and code generation based on clocks and scheduling relations Serialization reinforcement of a graph for sequential code generation Input-driven or output-driven clustering for modular code generation Distributed code generation GALS architecture mapping - Z 47 Correctness What if is not hronized? := default Z-1 Z := $ init 0 ^= (Z < 0) ^= ^= ^= ^= Z Consequence is still deterministically defined by or Z Is this harmless? - Z 48

Correctness In a hronous environment still has its own clock Input signals _ clock 3 2 1 0 Output signal The clock still decides when to schedule and The clock is deterministic - Z 49 Correctness In an ahronous environment, timing is elastic Input channels GALS wrapper clock Output channel Synchronous signals are interfaced to ahronous channels Reaction triggering defines module activation - Z 50

Correctness ut the core relies on the absence or presence of? Output channel Input channels GALS wrapper clock The watch can be reset at any time The intended specification is broken 4 4 4 4? Output channel 4 3 2 1? Output channel 51 Correctness Endochrony The capability of a module to internally compute the presence or absence of all signals... so that it can be interfaced with ahronous channels This is deterministic This is endochronous Z - Z 52

Correctness Problem : endochrony is not compositional If two modules p and q are endochronous then p q not necessarily is Solution : weakening endochrony [Potop et al., 05-07] Existence of stuttering states From any execution point (e.g. in the scheduling graph) one reaches a stuttering state Confluence Two compatible reactions (e.g. two sub-graphs) can be scheduled in any order and yield to the same stuttering state 53 Correctness Weak endochrony is compositional If a module p is endochronous then it is weakly endochronous Z If two modules p and q are weakly endochronous if there composition p q is non blocking then p q is weakly endochronous G...... A conservative, static and compositional decision procedure 54

Embedded software design with Polychrony Motivations Key challenge in system design Engineering or mathematics? Polychronous model of computation The essence of polychrony The old-fashioned watch Data structures and code generation From equations to programs Dehronization and mapping Use for architecture modeling and analysis Conclusive remarks 55 Architecture modeling and analysis Example of the loosely time-triggered architecture (enveniste et al.) Writer, bus and reader are periodic They have non-hronized triggers hronous timed hronous timed ahronous timed (bounded delay) 56

Architecture modeling and analysis The loosely time-triggered protocol (EMSOFT 02) Upgrade LTTA with protocol for bounded inter-clock jitter Use GALS mapping techniques hronous timed hronous timed ahronous timed (bounded delay) 57 Architecture modeling and analysis RT-uilder (Geensys) Real-time simulation and architecture exploration, verification, validation Signal application module hronous communication refined as Signal application module Signal architecture module (*) Signal architecture module (*) Signal architecture module from library of components (*) example : library of Signal models for the APE ARC-653 real-time operating system services 58

Architecture modeling and analysis RT-uilder (Geensys) Real-time, hardware in-the-loop, simulation of electronic equipments 59 Conclusions - methodology Synchronous abstraction of heterogeneous functionalities Continuous and/or discrete real-time processing Sensor In Filter i Lo In Lo i Abstraction of control by partially ordered scheduling relations In is present iff either i or Lo is present i and Lo are never present simultaneously i and Lo cannot happen before In In i Lo 60

Conclusions - methodology A refinement-based design process Specification of multi-clocked systems by partially related symbolic clocks In Filter Tick i Lo Check Alarm Lo In i Tick Alarm Transformation and code generation for mapping on GALS architectures In Filter i us Tick i Check Alarm Lo ridge between functional specification and architecture modeling 61 Conclusions - methodology Component-based design process Encapsulation of heterogeneous functionalities with interface descriptions interface component component interface In In Filter i Tick i Check Alarm Tick Lo i Lo i Alarm Transport and integration of encapsulated functions and services In Filter Lo i us Tick i Check Alarm Pivot formalism for architecture exploration 62

Conclusions - tools An experimental toolset Signal data-flow language Libraries (RTOS services) Analysis engine Transformation algorithms Model checker Controller synthesis Import functionalities: GCC-SSA, StateCharts, Simulink, Lustre, Scade Code generators: C, C++, Java => SME, an Eclipse-TopCased plug-in 63 Conclusions - tools SME, hronous modeling environment An open-source Eclipse plugin for Polychrony A unified model of computation for architecture exploration of integrated modular avionics Data-flow for computation Mode automata for control Libraries for services An eclipse interactive interface Open import functionalities igh-level visual editor Analysis and transformation visualization and traceability Component of the TopCased and OpenEmbeDD project 64

Conclusions - tools Principle One diagram per conceptual view (SLAP 06) : Untimed data-flow diagram A relational timing model An open and extensible framework multi-clocked mode automata (EMSOFT 06) integrated modular avionics (SEAA 06) 65 Conclusions - tools Synoptic - domain-specific design language for space application software 66

Conclusion The polychronous model of computation and communication A clear and solid semantics Compositional correctness criteria A calculus of hronization and scheduling Sequential, modular, distributed code generation Interface models, abstraction and refinement Model (occ) transformations eterogeneous architecture modeling and analysis Virtual prototyping Tools RT-uilder by Geensys Polychrony, experimental and academic freeware by RIA 67 ibliography On the model of computation "Polychrony for system design" Le Guernic, P., Talpin, J.-P., Le Lann, J.-C. Journal for Circuits, Systems and Computers. Special Issue on Application Specific ardware Design. World Scientific, August 2003. On dehronization Correct-by-construction ahronous implementation of modular hronous specifications. D. Potop-utucaru,. Caillaud. In Fundamenta Informaticae. IOS Press, 2006. On architecture modeling "Polychronous design of embedded real-time systems" Gamatié, A., Gautier, T., Le Guernic, P., Talpin, J.-P. ACM Transactions on Software Engineering and Methodology. ACM Press, 2006. On virtual prototyping "Formal refinement checking in a system-level design methodology" Talpin, J.-P., Le Guernic, P., Shukla, S. K., Gupta, R., Doucet, F. Special Issue of Fundamenta Informaticae on Applications of Concurrency to System Design. IOS Press, 2004. On model-driven engineering "A metamodel for the design of polychronous systems" runette, C., Talpin, J.-P., Gamatié, A., Gautier, T. Journal of Logic and Algebraic Programming, Special Issue on Applying Concurrency Research to Industry. Elsevier, 2008. Website http://www.irisa.fr/espresso 68